LDAP groups problem #1648

New Issue

OVERLORD · 2026-02-05T01:30:28+03:00

OVERLORD commented

2026-02-05 01:30:28 +03:00

Originally created by @nem1989 on GitHub (Apr 14, 2020).

I believe I've found a bug and I know how to reproduce it.

Set up AD auth.
LDAP_USER_TO_GROUPS=true
Create group like "BS-Admins" and add some users there.
In BookStack admin panel rename "Admin" role to BS-Admins.
Log in as BS-Admins member.
Result: no BS-Admins role assigned to that user.

But if you rename it back and create a brand new role with the same name, it will work fine. I think renaming default groups just does not work with LDAP auth.

Originally created by @nem1989 on GitHub (Apr 14, 2020). I believe I've found a bug and I know how to reproduce it. 1. Set up AD auth. 2. LDAP_USER_TO_GROUPS=true 3. Create group like "BS-Admins" and add some users there. 4. In BookStack admin panel rename "Admin" role to BS-Admins. 5. Log in as BS-Admins member. Result: no BS-Admins role assigned to that user. But if you rename it back and create a brand new role with the same name, it will work fine. I think renaming default groups just does not work with LDAP auth.

OVERLORD added the 🐛 Bug 📖 Docs Update 🚪 Authentication 🏭 Back-End labels 2026-02-05 01:30:28 +03:00

OVERLORD closed this issue

2026-02-05 01:30:30 +03:00

OVERLORD commented

2026-02-05 01:30:31 +03:00

@bcarlson23 commented on GitHub (Apr 16, 2020):

This also happens with custom groups if the name changes (with OpenLDAP).

Setup OpenLDAP Auth
LDAP_USER_TO_GROUPS=true
Create a group in LDAP with name "test-users"
In the Bookstack admin panel, create a new role with a typo "tst-users"
Correct the typo in admin panel, change existing "tst-users" group to "test-users"
Login as test-users member
Result: No test-users role assigned to that user

@bcarlson23 commented on GitHub (Apr 16, 2020): This also happens with custom groups if the name changes (with OpenLDAP). 1. Setup OpenLDAP Auth 2. LDAP_USER_TO_GROUPS=true 3. Create a group in LDAP with name "test-users" 4. In the Bookstack admin panel, create a new role with a typo "tst-users" 5. Correct the typo in admin panel, change existing "tst-users" group to "test-users" 6. Login as test-users member Result: No test-users role assigned to that user

OVERLORD commented

2026-02-05 01:30:33 +03:00

@ssddanbrown commented on GitHub (Apr 26, 2020):

Can confirm this. BookStack stores a name and a display_name separately. Think the use of name was historical but now not really used apart from in the group matching logic for auth systems. Ideally the name field should be dropped in favour of the display_name field but we'd have to go careful to avoid it causing side-effects on migration. Might be better just to expose the name field as editable.

For now, You can work-around this in one of two ways:

Set a name in the external_auth_id field which will be used instead of the name.
Update the name field on the roles table within the database manually.

@ssddanbrown commented on GitHub (Apr 26, 2020): Can confirm this. BookStack stores a `name` and a `display_name` separately. Think the use of `name` was historical but now not really used apart from in the group matching logic for auth systems. Ideally the `name` field should be dropped in favour of the `display_name` field but we'd have to go careful to avoid it causing side-effects on migration. Might be better just to expose the `name` field as editable. For now, You can work-around this in one of two ways: * Set a name in the `external_auth_id` field which will be used instead of the name. * Update the `name` field on the `roles` table within the database manually.

OVERLORD commented

2026-02-05 01:30:35 +03:00

@ssddanbrown commented on GitHub (Aug 4, 2020):

So this issues was slightly different to what was expected. Matching was done on the "Display Name" but only those with a matching "External Auth ID" or "Name" field would be considered. Old "Name" field has now been removed and the "Display Name" for all roles will be considered.

This will be part of the v0.30 release. Will need to note in update details that additional roles may match now on display name, where they may not have been matching before.

Thanks @nem1989 for reporting this and thanks @bcarlson23 for confirming the issue and providing further detail.

@ssddanbrown commented on GitHub (Aug 4, 2020): So this issues was slightly different to what was expected. Matching was done on the "Display Name" but only those with a matching "External Auth ID" or "Name" field would be considered. Old "Name" field has now been removed and the "Display Name" for all roles will be considered. This will be part of the v0.30 release. Will need to note in update details that additional roles may match now on display name, where they may not have been matching before. Thanks @nem1989 for reporting this and thanks @bcarlson23 for confirming the issue and providing further detail.

OVERLORD referenced this issue

2026-02-05 10:18:54 +03:00

[PR #1667] [MERGED] Add support for INI format in code editor #5861

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1648